Research Overview
Secure Systems Lab is a leader in the area of software security. Our research addresses security threats due to benign software vulnerabilities, as well as those due to untrusted code and malware. Our techniques target all phases of cyber attacks, including:
- prediction (software and configuration vulnerability analysis),
- prevention (blocking exploit mechanisms, policy enforcement),
- detection (host and network-based intrusion detection),
- containment (isolated execution environments and virtual networks),
- response (self-healing and self-regenerative techniques), and
- recovery (contamination analysis and rollback).
Below is a sampling of our research. For more information, please click on the menu items on the right, or visit our publications page.
- Randomization-based defenses for memory error exploits. We
were one of the inventors of the popular address-space randomization (ASR)
technique that has proven to be so effective that it found its way into
many modern OSes like Linux and Windows. We have the first paper
[95] on this topic, and have developed techniques for
achieving ASR on Linux [95] as well as Windows
[74].
We subsequently developed the technique of relative address randomization [83]. Most recently, we explored another facet of randomization, namely, data-space randomization [65].
- Automata models of program behavior. We first proposed the use
of finite-state automata models [103] for
system-call based anomaly detection. Since then, automata models have
become the de-facto standard for system-call anomaly detection, and have
been the topic of much research in academia as well as some products in
the industry.
Our dataflow anomaly detection [80] work extended these automata models to capture rich information on system-call arguments. Recently, we demonstrated a class of mimicry attacks on system-call anomaly detectors called persistent interposition attacks [69].
- Taint-enhanced policy enforcement.Taint-tracking has recently
become very popular in software security. It requires fine-grained program
transformation, and hence early works suffered from very high performance
overheads. We developed the first technique that reduced the overhead for
taint-tracking C-programs by an order of magnitude [78].
We also showed that taint-tracking, combined with security policies, can
effectively block exploits of most common software vulnerabilities,
including buffer-overflows, format-string attacks, SQL injection,
cross-site scripting, command injection, path traversals, etc.
Recently, we developed a technique for taint-tracking on binaries [68] that represented a 3+-fold performance improvement over the best reported previously. We have also developed a new black-box technique [58] for inferring taint, and developed a proactive malware defense [67] based on taint-tracking.
- Model-based Vulnerability analysis. Our work in 1998
[111] (which was subsequently expanded [100])
was the first to develop a systematic approach for discovering unknown
vulnerabilities in computer systems using a model-based analysis, and
specifically, using customized model-checking techniques; and to
generate attacks automatically from this analysis. Model-checking has
subsequently become very popular for analyzing security vulnerabilities,
forming the basis of works such as MulVal
and many works on attack graphs.
Subsequently, we explored the use of model-checking for security policy generation [92] for untrusted code. Our ongoing work uses model-based analysis for analyzing trust in distributed systems, and for software vulnerability detection.
- Automated generation of attack-blocking signatures.
Initial research in this area was based on discovering invariants in
the payloads of network-based attacks. Unfortunately, this
requires a large number of attack samples, and moreover, could be
easily evaded by knowledgeable attackers. In contrast, we developed
the first techniques that produced very general signatures from
a single attack sample. See here for a technique
based on program behavior models, and here for
a technique based on forensic analysis of process memory.
These signatures are vulnerability-related
rather than payload-based, and are hence difficult to evade.
Our current work automates signature generation for web application vulnerabilities. These signatures are meant to be deployed on web application firewalls such as ModSecurity.
- Untrusted code security.Safe execution can be achieved by
enforcing approapriate security policies on untrusted code. The biggest
challenge, then, is the development of these policies. In the
model-carrying code [92] project, we developed
techniques that enabled code producers and consumers to collaborate in
order to largely automate the generation of policies. Our award-winning
Alcatraz [91] and Safe execution
environments [88] projects explored a different
approach for simplifying policy development that was based on the concept
of logically isolated execution.
More recently, we developed tools for automating the generation of information flow policies, which formed the basis of our proactive malware defense [67]. In this context, we also addressed the problem of secure software installation [64]. Finally, we extended the concept of isolated execution to networks via the concept of logically isolated virtual networks [84, 63].